The Swiss FADP Compliance Checklist for Digital Mail Handling (2025 Edition)
Stop guessing: this 10-point checklist shows how to keep every scanned letter FADP-ready—and how Alfred automates half the work.
1. Understand the revised FADP (in force since 1 Sep 2023)
The law tightened breach-notification deadlines and introduced a record-of-processing obligation.[secureprivacy.ai],[lexology.com]
Key Changes:
- • Data breach notification within 72 hours
- • Mandatory record of processing activities
- • Stricter consent requirements
- • Enhanced individual rights
2. Map physical letters to "personal data"
Tax slips, medical letters, even address labels are all covered. Under FADP, personal data includes any information relating to an identified or identifiable natural person.
Common mail types and their data classification:
- âś“ Invoices - Contains names, addresses, purchase history
- âś“ Bank statements - Financial data, transaction history
- âś“ Insurance documents - Health information, personal details
- âś“ Tax forms - Income data, social security numbers
- âś“ Medical correspondence - Sensitive health data (special category)
3. Choose a Swiss-hosted processor
ePost scans remain in Swiss datacentres; Alfred processes and stores metadata exclusively in Zurich & Geneva regions.
Swiss hosting advantages:
- • No cross-border data transfers
- • Swiss Federal Data Protection Act applies
- • Strong privacy laws and enforcement
- • No foreign surveillance laws
4. Minimise data transfers
Use Alfred's on-the-fly classification so only the PDF—and never the raw image—is forwarded to Gmail/SharePoint.
Data minimization in practice:
- 1. Raw scan stays in Swiss ePost servers
- 2. Alfred extracts only necessary metadata
- 3. PDF is encrypted before any transfer
- 4. Only classified data leaves Switzerland (if configured)
5. Enable role-based access & logs
Alfred writes immutable access logs you can export during a DPIA (Data Protection Impact Assessment).
| Log Type | Information Captured | Retention |
|---|---|---|
| Access logs | User ID, timestamp, action, resource | 90 days |
| Processing logs | Document ID, processing steps, results | 180 days |
| Consent logs | User consent, timestamp, scope | Indefinite |
FAQ Rich Snippet
Q: Is encrypting the PDF alone enough for FADP?
A: No. You must also hash the file name or strip identifying info because filenames count as personal data.
The Complete 10-Point FADP Checklist
- 1Data Inventory - Document all mail types and personal data categories
- 2Legal Basis - Establish lawful grounds for processing (consent, contract, legal obligation)
- 3Swiss Hosting - Ensure all data remains in Swiss data centers
- 4Encryption - Implement end-to-end encryption for all documents
- 5Access Control - Set up role-based permissions and multi-factor authentication
- 6Audit Logs - Enable comprehensive logging for all access and processing
- 7Data Minimization - Process only necessary data, delete when no longer needed
- 8Breach Protocol - Establish 72-hour notification procedures
- 9Individual Rights - Implement processes for access, rectification, deletion requests
- 10Regular Reviews - Conduct quarterly compliance assessments
How Alfred Automates Compliance
Automatic Features
- âś“ Swiss-only data residency
- âś“ Encrypted storage & transfer
- âś“ Immutable audit logs
- âś“ Role-based access control
- âś“ Automatic data retention
Compliance Reports
- âś“ Processing activity records
- âś“ Access history exports
- âś“ Data inventory reports
- âś“ Consent tracking
- âś“ DPIA templates
Implementation Timeline
Get Your FADP Compliance Assessment
Our compliance experts can review your current setup and provide recommendations